Learn how Cloud Posse recently architected and implemented WordPress for massive scale on Amazon EC2. We’ll show you exactly the tools that we used and our recipe to both secure and power WordPress setups on AWS using Elastic Beanstalk, EFS, CodePipeline, Memcached, Aurora and Varnish.
Secrets are any sensitive piece of information (like a password, API token, TLS private key) that must be kept safe. This presentation is a practical guide covering what we’ve done at Cloud Posse to lock down secrets in production. It includes our answer to avoid the same pitfalls that Shape Shift encountered when they were hacked. The techniques presented are compatible with automated cloud environments and even legacy systems.
Kelsey Hightower, a Google Developer Advocate and Google Cloud Platform evangelist, recently gave a very helpful screencast demonstrating some of the tips & tricks he uses when developing Go microservices for Kubernetes & docker. Among other things, he recommends being very verbose during the initialization of your app by outputting environment variables and port bindings. He also raises the important distinction between readiness probes and liveness probes and when to use them. Lastly, in the Q&A he explains why it’s advantageous to use resource files instead of editing live configurations because the former fits better in to a pull-request workflow that many companies already use as part of the CI/CD pipeline.
Heroku has deployed more services in a cloud environment than probably any other company. They operate a massive “Platform-as-a-Service” that enables someone to deploy most kinds of apps just by doing a simple
git push. Along the way, they developed pattern for how to write applications so that they can be easily and consistently deployed in cloud environments. Their platform abides by this pattern, but it can be implemented in many ways.
The 12-factor pattern can be summed up like this:
Treat all micro-services as disposable services that receive their configuration via environment variables and rely on backing services to provide durability. Any time you need to make a change it should be scripted. Treat all environments (dev, prod, qa, etc) as identical.
Of course, this assumes that the cloud-architecture plays along with this methodology for it to work. For a cloud-architecture to be “12 factor” compliant, here are some recommended criteria.
- Applications can be pinned to a specific version or branch
- All deployments are versioned
- Multiple concurrent versions can be deployed at the same time (e.g. prod, dev, qa)
- Service dependencies are explicitly declared
- Dependencies can be isolated between services
- Services can be logically grouped together
- All configuration is passed via environment variables
- Services can announce availability and discover other services
- Services can be dynamically reconfigured (e.g. for auto-scaling)
4. Backing Services
- Services depend on object stores to store assets (if applicable)
- Services use environment variables to find backing services
- Platform supports backing services like MySQL, Redis or Memcache
5. Build, release, run (PaaS)
- Automation of deployment (build, release, run)
- All builds produce immutable images
- Deployment should not result in down-time
- Micro-services should consist of a single process
- Processes are stateless and share-nothing
- Ephemeral filesystem can be used for temporary storage
7. Port binding
- Services should be able to run on any port defined by the platform
- Service discovery should incorporate ports
- Some sort of routing layer handles requests and distributes them to port-bound processes
- Concurrency is achieved by replicating the micro-service
- Scaled automatically without human intervention
- Only sends traffic to healthy services
- Services are entirely disposable (not maintain any local state)
- They can be easily created or destroyed
- They are not upgraded or patched
10. Dev/prod parity
- All environments function the same way
- Guarantees that all services in an environment are identical
- Code runs the same way in all places
- Logs treated as event streams that can be subscribed to by multiple consumers
- Logs collected from all nodes in cluster and centrally aggregated for auditing all activity
- Alerts can be generated from log events
12. Admin processes
- It should never be necessary to login to servers to manually make changes
- APIs exist so that everything can be scripted
- Regular tasks can be scheduled to run automatically